Hi all,
I’m building a form where I need a user to verify either their mobile or email. The idea is that the user can choose which, and they’ll be sent a code to enter. The experience should be the same for both. Also, given it’s middway through a multi-step form, I don’t want them to be sent any ‘links’ that they need to click to verify.
The advised approach from this forum is to:
- On Submit:
a. Create a user account.
b. Populate a ‘verification_code’ field on the User type (using a random string generator)
c. Send the code to the channel (Email/SMS) chosen by the user. - Have the user enter the code into a field and compare the value with the ‘verification_code’ field.
My questions are:
- How secure is this? Wouldn’t a malicious actor be able to inspect the User data type to see the code they need to enter (avoiding the need to provide a valid email/phone)?
- Many of the posts I am following are from a few years back… Given it’s late 2024 is there a better ‘out-of-the’ box solution that’s consistent across mobile/email?
Thanks all